Docker Community Forums

Share and learn in the Docker community.

Understanding Notary


(Frank) #1

I’m trying to understand the notary architecture located here https://docs.docker.com/notary/service_architecture/ but having some trouble understanding what they mean by a few things as the diagrams lack some details on what is what. Kind of assumes you know looking at the pic what a images is.

Anyway I’m trying to understand the entire process and what is run where and where keys are generated and protected.

First off I guess the icon on the left that looks like a desk top computer is say the client/end user of a container?

Then they try to authenticate to a notary server. What is this authentication server? Is this some LDAP, some container? Where does it run on it’s on system/container or inside the notary container? Really could not tell looking even at the directions to start-up notary. Seems to be related somehow to implementing JWT or an implementation of JWT? Is this something you do yourself or part of the directions here that start this authentication server? https://docs.docker.com/notary/running_a_service/

I thought maybe something in Docker Registry 2 that followed might help but that really did not either. https://github.com/docker/distribution/blob/master/docs/spec/auth/token.md


(Jeff Anderson) #2

Notary can be configured to talk to the same token authentication service that the Docker Registry V2 spec uses. In the case of DTR, DTR provides that component. If my DTR is running at https://dtr.example.com/, then my auth service is located at https://dtr.example.com/auth/token.

Check out the “auth” section in this example config file: https://github.com/docker/notary/blob/master/docs/reference/server-config.md#overview

That should give you at least a starting point.

/Jeff


(Frank) #3

Ok so authorization services are then ultimately provided by DTR? So it is a component of DTR and not something you really do separately. Thus one can look at notary as an add in/add-on to the DTR?

And it looks like you will then have a number of containers running?
docker_trusted_registry_load_balancer
docker_trusted_registry_image_storage_0
docker_trusted_registry_image_storage_1
docker_trusted_registry_admin_server
docker_trusted_registry_log_aggregator
docker_trusted_registry_auth_server
docker_trusted_registry_postgres

Which I guess could technically run on separate VMs/systems if you so desire? But looking at the configure (Docker Registry 2 of the link you provided) file I would have though the names woudl have matched up but I see: server, trust_service, storage, auth, logging, reporting. They seem similar but a little different also.


(Jeff Anderson) #4

In the case of a DTR setup, the authentication/token API is provided by DTR.

Notary is definitely an addon to any docker registry-- it isn’t a required component by any means.

When you configure the “Notary Server” value in DTR, the load balancer component in DTR is set up to reverse proxy to that URL. When you configure notary to use your DTR’s authentication service, your notary container will need to be able to reach that as well. As long as DTR and notary can reach eachother, they can indeed be run on separate hosts.